https://pulumi.com logo
Title
f

full-dress-10026

06/22/2021, 6:06 PM
Does Pulumi support AWS profiles set with a role_arn (example, i.e., AssumeRole)? I'd assume yes since it just calls out to AWS using Go & the default creds chain, but I'd just like to confirm. The note in the Pulumi AWS docs seems to hint Pulumi may not support this flow by default, "If you are using temporary security credentials, you will also have to supply an 
AWS_SESSION_TOKEN
 value before you can use Pulumi to create resources on your behalf."
a

acceptable-army-69872

06/22/2021, 10:11 PM
I do it that way with typescript and temp creds coming from saml2aws. Or if you're running it on an instance that has the ability to assume other roles, you can create additional providers which will pull creds with something like (i'm sure there's a go equiv)
new aws.Provider(`${account.id}-provider`, {
            assumeRole: {
                roleArn: `arn:aws:iam::${account.id}:role/some_other_role`,
                sessionName: "PulumiSession",
            },
            region: 'us-east-1,
        })